1 00:00:00,900 --> 00:00:04,980 Hello and welcome to a new session in this new session. 2 00:00:05,250 --> 00:00:11,550 We are going to talk about how now we can drop Trojans to do some malicious activity. 3 00:00:12,270 --> 00:00:14,160 Now, how do they do this? 4 00:00:14,490 --> 00:00:24,330 Typically, Trojans or malware do this by hiding the executables inside the file itself and the places 5 00:00:24,330 --> 00:00:25,830 normally that they do, we do. 6 00:00:25,830 --> 00:00:32,910 This is either in the tech section or in the data section or in recession. 7 00:00:33,900 --> 00:00:41,760 Now, this is an example of a calculated program which you can look from your Windows system to read 8 00:00:41,760 --> 00:00:44,880 to you where you can find your calculator program. 9 00:00:45,390 --> 00:00:48,800 So after loading it, you will find it to create a program. 10 00:00:48,800 --> 00:00:52,500 You have all this behavior, plus the various action. 11 00:00:52,920 --> 00:01:02,790 So in this session, I'm going to show you how you can create code to hide other executable shortcuts 12 00:01:02,790 --> 00:01:04,590 inside the taxation. 13 00:01:05,340 --> 00:01:07,980 All the data session of the recession. 14 00:01:09,000 --> 00:01:10,350 So let's get started. 15 00:01:11,100 --> 00:01:18,990 To do this, we are going to use another project file called Embedding Bailleau, which you can download 16 00:01:19,410 --> 00:01:20,220 from the resource. 17 00:01:20,220 --> 00:01:25,580 I should unzip and put it in your mouth folder inside it. 18 00:01:25,580 --> 00:01:30,910 And you will find this project called Payroll in Taxation. 19 00:01:30,930 --> 00:01:39,060 So this first project is where I will show you how you can hire a payroll, a shellcode payroll tax 20 00:01:39,060 --> 00:01:39,300 issue. 21 00:01:39,330 --> 00:01:47,400 So what you say chocolate Shaquill is actually a string of bytes that gives instructions to execute 22 00:01:47,400 --> 00:01:48,960 to to do something. 23 00:01:49,500 --> 00:01:52,710 This thing, can you execute it from memory directly? 24 00:01:53,160 --> 00:02:00,550 And an example of this can be found in this faqir, CPP file in taxation. 25 00:02:00,570 --> 00:02:04,100 So just right click on it and open, if not back. 26 00:02:05,930 --> 00:02:13,370 And in this example here, you see on top, we have the usual see clutz and then, yes, our main function, 27 00:02:13,370 --> 00:02:15,260 you get a premium section begins. 28 00:02:16,010 --> 00:02:24,690 And here you see there are a few variables being declared and also simple for white chocolate. 29 00:02:25,400 --> 00:02:28,370 So this is the thing that you are going to execute. 30 00:02:28,790 --> 00:02:34,220 You are going to hide this inside taxation of your coat and then security. 31 00:02:34,940 --> 00:02:35,930 Now, how do we do that? 32 00:02:36,910 --> 00:02:45,940 First you need to do is to call a function call what you're ALAC, which is a Windows API function that 33 00:02:45,950 --> 00:02:51,050 you can create memory locations for use and by your process. 34 00:02:51,740 --> 00:02:53,870 And he set parameters for it. 35 00:02:54,170 --> 00:02:55,730 The first one is the address. 36 00:02:56,030 --> 00:02:59,300 And normally we leave it blank over here. 37 00:03:00,680 --> 00:03:06,120 Zero and then the length of the address and you need the size. 38 00:03:06,810 --> 00:03:09,720 And then here you type the location. 39 00:03:10,260 --> 00:03:15,480 So the type normally we would put memory commy and we are in memory reserve. 40 00:03:15,990 --> 00:03:20,070 Then the last one is what kind of permission you and you set for peritta. 41 00:03:20,700 --> 00:03:25,140 So in this case, we want to set it to be readable and writable. 42 00:03:25,890 --> 00:03:32,220 So after you call, would you allow you allocate some region of memory for the process to use? 43 00:03:32,700 --> 00:03:36,100 And then he will return it in in that Facebook. 44 00:03:36,530 --> 00:03:36,660 Hello. 45 00:03:37,020 --> 00:03:40,630 In this case, we call it a lot men over here. 46 00:03:40,650 --> 00:03:43,770 You can see the parameter that is being written. 47 00:03:44,610 --> 00:03:46,860 If you scroll down the return type. 48 00:03:47,910 --> 00:03:48,690 Return type. 49 00:03:52,430 --> 00:03:58,160 Within the Falcons, I see the return value is their base and drastically allocated regional pages. 50 00:03:58,550 --> 00:04:03,570 So this is how your program can allocate memory for its own use. 51 00:04:04,100 --> 00:04:06,020 This is called private memory. 52 00:04:06,860 --> 00:04:12,710 And then after you allocate it in memory, dislocation in memory is reserved for use by this process 53 00:04:12,710 --> 00:04:13,760 to do whatever you want. 54 00:04:14,180 --> 00:04:18,890 So in this example here, our show shellcode is for base. 55 00:04:19,370 --> 00:04:22,790 And these are the hexadecimal values --. 56 00:04:22,790 --> 00:04:28,370 Ninety ninety six and C three ninety is no operation. 57 00:04:28,640 --> 00:04:30,860 That means end the CPU C. 58 00:04:31,880 --> 00:04:40,250 If we just ignore it and proceed to the next instruction, c, c is an introductory, thereby he will 59 00:04:40,250 --> 00:04:45,110 cross the program to halt if you are using a debugger to run the program. 60 00:04:45,840 --> 00:04:50,120 The debugger will halt in any C.C.C. instruction. 61 00:04:50,850 --> 00:04:58,380 It is deliberate down to make it easy for you to inspect this program using X DBG later and see trees, 62 00:04:58,910 --> 00:05:00,230 quote, for return. 63 00:05:01,070 --> 00:05:04,630 We are going to put this inside the allocated region and memory here. 64 00:05:05,130 --> 00:05:07,100 These two lines here is just a prenup. 65 00:05:07,550 --> 00:05:13,070 The address of the shellcode payload, which is this array here. 66 00:05:14,270 --> 00:05:21,130 And in this line here, the print, the value of the allocated region of memory, even virtual blocks 67 00:05:21,140 --> 00:05:21,560 of seats. 68 00:05:22,010 --> 00:05:24,080 You will get an allocated region here. 69 00:05:24,090 --> 00:05:26,330 And this is where you print up so you can see. 70 00:05:27,710 --> 00:05:35,710 And over here, this API, RTL move memory has got three parameters. 71 00:05:35,720 --> 00:05:42,230 And you can take a look at the M.N. documentation for this API function. 72 00:05:42,920 --> 00:05:45,800 The first parameter is a destination address. 73 00:05:46,130 --> 00:05:48,260 The second parameter is a source address. 74 00:05:48,620 --> 00:05:50,190 And it took parameter eastern. 75 00:05:50,990 --> 00:05:57,530 So over here, you are going to copy the shortcut into the destination. 76 00:05:57,950 --> 00:06:04,670 So this Chalco comes from this array and you are going to copy into the newly allocated region and memory, 77 00:06:04,670 --> 00:06:08,600 which is over here, which has to be set to be readable, writable. 78 00:06:09,080 --> 00:06:16,780 You need to be set to this to readable and writable so that this API function will be able to write 79 00:06:16,790 --> 00:06:17,180 to it. 80 00:06:18,290 --> 00:06:27,290 And then the parameter from the documentation is the line to the line of the source that you are going 81 00:06:27,290 --> 00:06:29,960 to copy over to the destination. 82 00:06:30,470 --> 00:06:37,790 So the length of the Shockley's state is four, four bytes, because each of this instruction is a one 83 00:06:37,790 --> 00:06:39,530 by one, two, three, four. 84 00:06:39,560 --> 00:06:40,760 So for bytes here. 85 00:06:42,240 --> 00:06:49,080 So this is what is Chako looks like, charcoaled is very low level machine code and is ready to run 86 00:06:49,320 --> 00:06:50,670 by the C.P.U. 87 00:06:51,300 --> 00:06:56,820 So he doesn't have schmoozy Hadir and you know that it is it is already. 88 00:06:56,820 --> 00:06:59,040 And he's tracking very low level form. 89 00:06:59,250 --> 00:07:01,770 It can be executed by the CPU. 90 00:07:02,550 --> 00:07:06,210 And in the real life malware, the chocolate will not be so shut. 91 00:07:06,510 --> 00:07:12,160 He'll be very long and he can do many malicious things after this line. 92 00:07:12,180 --> 00:07:20,070 Here we have what you're purpose but possible to protect is to change the protection for a particular 93 00:07:20,070 --> 00:07:21,180 region of memory. 94 00:07:21,450 --> 00:07:24,030 And what's important, that takes four parameters. 95 00:07:24,450 --> 00:07:30,780 The first parameter is the address where you want to change the mission and the size of it and the new 96 00:07:30,780 --> 00:07:32,070 permissioned and you the set. 97 00:07:32,340 --> 00:07:36,090 And what is he Holper mission that was previously there. 98 00:07:36,840 --> 00:07:39,150 So if you take a look at this, we should protect here. 99 00:07:39,180 --> 00:07:40,890 He also has four parameters. 100 00:07:41,400 --> 00:07:46,230 And then the first parameter is the newly allocated region of memory here. 101 00:07:46,650 --> 00:07:48,660 So he allocated region in memory. 102 00:07:48,840 --> 00:07:51,150 You make it readable, writable. 103 00:07:51,570 --> 00:07:57,060 And then here you copy a shortcut to that region in memory because it is writable. 104 00:07:57,060 --> 00:08:02,340 So you can copy after that, before you can execute this new chacal. 105 00:08:02,490 --> 00:08:03,690 There has just been copy. 106 00:08:04,020 --> 00:08:07,440 You need to make this region a memory executable. 107 00:08:08,010 --> 00:08:09,650 That is why you need for shipment. 108 00:08:10,260 --> 00:08:19,720 So here the parameter here is the type of permission you're using to set the new protection value. 109 00:08:19,740 --> 00:08:24,390 As you can see here, in this case, you want to make it executable and readable. 110 00:08:24,630 --> 00:08:27,570 That's why you said it to be this value in this parameter. 111 00:08:27,930 --> 00:08:35,760 And the fourth one is just a pointer to the all protection value, which normally put a zero once is 112 00:08:35,760 --> 00:08:37,650 which X-axis everything? 113 00:08:37,680 --> 00:08:38,550 True or false? 114 00:08:39,300 --> 00:08:45,270 And this is true for successful and false, for failure to achieve the permission. 115 00:08:45,300 --> 00:08:47,160 So we can see the return type is bool. 116 00:08:47,610 --> 00:08:49,710 And you can scroll down and see the return type. 117 00:08:50,010 --> 00:08:51,240 You define success. 118 00:08:51,240 --> 00:08:53,250 The return value is only zero. 119 00:08:55,020 --> 00:09:03,270 So and then here you bring a message to the program to show a prompt to tell the user. 120 00:09:04,320 --> 00:09:09,990 For our case, for educational purposes, we want to be able to see this so that we can press, enter. 121 00:09:10,380 --> 00:09:14,610 And then here we get your and turkey and get char function. 122 00:09:15,120 --> 00:09:17,010 You enter key from your terminal. 123 00:09:17,490 --> 00:09:24,060 And then here you would test the return value from the checkpoint right into what you protect succeeds. 124 00:09:24,510 --> 00:09:26,670 Then this return value would be non-zero. 125 00:09:27,090 --> 00:09:34,020 That means you be able to enter here and create a tray out of this memory. 126 00:09:34,110 --> 00:09:34,770 Great trick. 127 00:09:35,160 --> 00:09:35,700 Create. 128 00:09:36,010 --> 00:09:40,320 So I think within the virtual address space of the calling process. 129 00:09:40,800 --> 00:09:42,960 And these are all the parameters to it. 130 00:09:43,920 --> 00:09:48,060 So crypto actually run who execute this call? 131 00:09:48,420 --> 00:09:53,880 I mean, in in a separate track and the parameters, it is normally the first two. 132 00:09:53,880 --> 00:09:55,170 We leave it as zero zero. 133 00:09:55,560 --> 00:10:00,270 And then that parameter, the instruction that you want to execute. 134 00:10:00,720 --> 00:10:07,140 So in this case, the instruction is a memory address that we are located here, which only Kapela Sherko 135 00:10:07,140 --> 00:10:07,650 into it. 136 00:10:07,980 --> 00:10:09,190 Now we want to execute it. 137 00:10:09,690 --> 00:10:16,500 And normally the cost this memi region to become an executable check routine. 138 00:10:16,980 --> 00:10:19,860 And the last three parameters, we just it has zero. 139 00:10:20,700 --> 00:10:24,250 After that, we worked for a single J because the check is running. 140 00:10:24,270 --> 00:10:25,260 We don't need a program. 141 00:10:25,620 --> 00:10:27,150 We talked this program three. 142 00:10:27,870 --> 00:10:36,660 So this is the way in which you can create a program with social cohesion, USAID, and allocate space 143 00:10:36,720 --> 00:10:41,190 memory using Machala and then copy a Chakotay, the newly allocated space. 144 00:10:41,580 --> 00:10:44,250 And it changes to protection, to executable. 145 00:10:45,150 --> 00:10:49,210 Now, why why is it over here if you don't want to put executable? 146 00:10:49,320 --> 00:10:52,650 Why are we putting executable in a separate API? 147 00:10:53,190 --> 00:10:58,260 And the reason is because some antivirus can detect this anomaly. 148 00:10:59,010 --> 00:11:07,150 If your process suddenly coslovich alarm, which makes it much misallocate in memory, both available. 149 00:11:07,150 --> 00:11:08,610 Right, as well as active. 150 00:11:08,820 --> 00:11:16,650 So that's why we split into two parts which are duplicate writable and then which are protective Cheju 151 00:11:16,650 --> 00:11:17,730 to executable. 152 00:11:18,660 --> 00:11:23,490 OK, so this is how we are going to do in this next video. 153 00:11:23,770 --> 00:11:27,600 You know, we'll go ahead and try to compile this code. 154 00:11:28,140 --> 00:11:29,880 So I'll see you in the next video. 155 00:11:30,120 --> 00:11:31,140 Thank you for watching.